Hi Oliver I did the upgrade and it works now like expected. Thanks and Best Regards Thomas
From: Oliver Welter <[email protected]> Sent: Mittwoch, 23. August 2023 09:53 To: [email protected] Subject: Re: [OpenXPKI-users] X509 user database Hi Thomas, try to set the empty string for role, that should satisfy the type validation while keeping the role assignment from the user source. We just released v3.26 (for bookworm) which includes the code fix I proposed so upgrading should also solve the problem. Oliver On 21.08.23 14:23, Thomas Gusset wrote: Hi Oli Thanks a lot I changed the handler to: Certificate: type: ClientX509 user@: connector:auth.connector.userdbX509 role: User arg: CN trust_anchor: realm: ivoc-test Now, I can login again but the role is User (and not RA Operator like defined in /home/pkiadm/userdbX509.yaml) Best Regards Thomas From: Oliver Welter <[email protected]><mailto:[email protected]> Sent: Montag, 21. August 2023 13:06 To: [email protected]<mailto:[email protected]> Subject: Re: [OpenXPKI-users] X509 user database Hi Thomas, looks like there is a migration bug when no default role is set... Option 1: keep the "role" parameter to set a default role Option 2: in OpenXPKI/Server/Authentication/X509.pm, Line 145, replace "$self->default_role();" with by "$self->role()" - that should then assign any user without a role the empty role which is cause a login error. Oli On 21.08.23 08:38, Thomas Gusset wrote: Hi Oliver Thanks for the hint I changed /home/pkiadm/userdbX509.yaml to Thomas Gusset: username: Thomas Gusset role: RA Operator But still no success. I see the following log in openxpki.log: 2023/08/21 08:33:57 ERROR I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_MESSAGE_FAILED; __EVAL_ERROR__ => Attribute (default_role) does not pass the type constraint because: Validation failed for 'Str' with value undef at accessor OpenXPKI::Server::Authentication::X509::default_role (defined at /usr/share/perl5/OpenXPKI/Server/Authentication/X509.pm line 44) line 11 OpenXPKI::Server::Authentication::X509::default_role('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)') called at /usr/share/perl5/OpenXPKI/Server/Authentication/X509.pm line 145 OpenXPKI::Server::Authentication::X509::_validation_result('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)', 'HASH(0x561529b95458)') called at /usr/share/perl5/OpenXPKI/Server/Authentication/ClientX509.pm line 46 OpenXPKI::Server::Authentication::ClientX509::handleInput('OpenXPKI::Server::Authentication::ClientX509=HASH(0x561529879fe0)', 'HASH(0x561529ac7bb8)') called at /usr/share/perl5/OpenXPKI/Server/Authentication.pm line 467 OpenXPKI::Server::Authentication::login_step('OpenXPKI::Server::Authentication=HASH(0x561525e186a0)', 'HASH(0x561529ad93d8)') called at /usr/share/perl5/OpenXPKI/Service/Default.pm line 802 OpenXPKI::Service::Default::__handle_login('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)', 'HASH(0x561529ad9570)') called at /usr/share/perl5/OpenXPKI/Service/Default.pm line 495 OpenXPKI::Service::Default::__handle_GET_X509_LOGIN('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)', 'HASH(0x561529ad9570)') called at /usr/share/perl5/OpenXPKI/Service/Default.pm line 196 eval {...} at /usr/share/perl5/OpenXPKI/Service/Default.pm line 193 OpenXPKI::Service::Default::__handle_message('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)', 'HASH(0x5615259e2e18)') called at /usr/share/perl5/OpenXPKI/Service/Default.pm line 72 eval {...} at /usr/share/perl5/OpenXPKI/Service/Default.pm line 71 OpenXPKI::Service::Default::init('OpenXPKI::Service::Default=SCALAR(0x561525f7d5f0)') called at /usr/share/perl5/OpenXPKI/Server.pm line 531 OpenXPKI::Server::do_process_request('OpenXPKI::Server=HASH(0x56152204ba48)', 'Net::Server::Proto::UNIX=GLOB(0x5615253041c0)') called at /usr/share/perl5/OpenXPKI/Server.pm line 391 eval {...} at /usr/share/perl5/OpenXPKI/Server.pm line 390 OpenXPKI::Server::process_request('OpenXPKI::Server=HASH(0x56152204ba48)', 'Net::Server::Proto::UNIX=GLOB(0x5615253041c0)') called at /usr/share/perl5/Net/Server.pm line 72 Net::Server::run_client_connection('OpenXPKI::Server=HASH(0x56152204ba48)') called at /usr/share/perl5/Net/Server/Fork.pm line 196 Net::Server::Fork::run_client_connection('OpenXPKI::Server=HASH(0x56152204ba48)') called at /usr/share/perl5/Net/Server/Fork.pm line 140 Net::Server::Fork::loop('OpenXPKI::Server=HASH(0x56152204ba48)') called at /usr/share/perl5/Net/Server.pm line 58 Net::Server::run('OpenXPKI::Server=HASH(0x56152204ba48)', 'server_type', 'Fork', 'port', '/var/openxpki/openxpki.socket|unix', 'alias', 'main', 'background', 1, 'socketfile', '/var/openxpki/openxpki.socket', 'process_owner', 106, 'pid_file', '/run/openxpkid.pid', 'socket_owner', 33, 'process_group', 112, 'proto', 'unix', 'no_client_stdout', 1) called at /usr/share/perl5/Net/Server/MultiType.pm line 78 Net::Server::MultiType::run('OpenXPKI::Server=HASH(0x56152204ba48)', 'server_type', 'Fork', 'port', '/var/openxpki/openxpki.socket|unix', 'alias', 'main', 'background', 1, 'socketfile', '/var/openxpki/openxpki.socket', 'process_owner', 106, 'pid_file', '/run/openxpkid.pid', 'socket_owner', 33, 'process_group', 112, 'proto', 'unix', 'no_client_stdout', 1) called at /usr/share/perl5/OpenXPKI/Server.pm line 123 OpenXPKI::Server::start('OpenXPKI::Server=HASH(0x56152204ba48)') called at /usr/share/perl5/OpenXPKI/Control.pm line 273 eval {...} at /usr/share/perl5/OpenXPKI/Control.pm line 268 OpenXPKI::Control::start('HASH(0x56151fff74b8)') called at /usr/bin/openxpkictl line 137 , __MESSAGE_NAME__ => GET_X509_LOGIN [pid=37137|sid=/ZBC] Best Regards Thomas From: Oliver Welter <[email protected]><mailto:[email protected]> Sent: Samstag, 19. August 2023 13:24 To: [email protected]<mailto:[email protected]> Subject: Re: [OpenXPKI-users] X509 user database Hi Thomas, I had a quick look at the code and it looks like the docs are incomplete :) The user database must return a value for the "username" attribute so can you please try to add the key "username" into the yaml file and try again. best regards Oliver On 18.08.23 15:09, Thomas Gusset wrote: Hi I try to setup GUI authentication with client certificates. It works fine with this handler: Certificate: type: ClientX509 role: User trust_anchor: realm: <my-realm> I can authenticate, the username is the CN, the role is User Now I would like to have a user database to dynamic assign roles to users. Therefore I changed handler to Certificate: type: ClientX509 user@: connector:auth.connector.userdbX509 arg: CN trust_anchor: realm: <my-realm> and added a connector userdbX509: class: Connector::Proxy::YAML LOCATION: /home/pkiadm/userdbX509.yaml The user database looks like John Doe: role: RA Operator where ‘John Doe’ is the CN of the certificate With this configuration I can no longer authenticate: Unknown error (service default handle message failed) What’s wrong with my configuration? Thanks in advance Thomas NetSec.co AG Thomas Gusset CEO & CTO Im alten Riet 125, 9494 Schaan, Liechtenstein https://netsec.co +423 388 2777 / +423 388 2770 (direkt) [email protected]<mailto:[email protected]> https://threema.id/NK3MJMNP Chat on MS Teams<https://teams.microsoft.com/l/chat/0/[email protected]> _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
